Exploitation of SonicWall SSL VPN Vulnerability and Misconfigurations by Akira Ransomware Group on the Rise

September 11, 2025

Cybersecurity threats linked to the Akira ransomware group have intensified, specifically targeting SonicWall devices for initial breaches. Rapid7 has reported a notable increase in attacks on SonicWall appliances, coinciding with heightened Akira ransomware activity noted since late July 2025. SonicWall recently identified that these SSL VPN attacks exploit a year-old security vulnerability (CVE-2024-40766, CVSS score: 9.3) where local user passwords remained unchanged during migration. “We are seeing a surge in attempts by threat actors to brute-force user credentials,” the company commented. To mitigate risks, they advise enabling Botnet Filtering to block known threats and implementing Account Lockout policies. SonicWall also urged users to review LDAP SSL VPN Default User Groups, highlighting that misconfigurations could represent a “critical weak point.”

SonicWall SSL VPN Vulnerabilities Targeted by Akira Ransomware Group

On September 11, 2025, cybersecurity experts reported a significant uptick in cyber intrusions targeting SonicWall devices, particularly those involving the SSL VPN feature. This surge is attributed to ongoing attacks by the Akira ransomware group, which has recently intensified its efforts since July 2025. Rapid7, a cybersecurity firm, detailed how these vulnerabilities are being exploited, specifically noting the involvement of a serious security flaw identified as CVE-2024-40766, which carries a CVSS score of 9.3.

The flaw in question stems from a failure to reset local user passwords during a migration process, enabling threat actors to exploit persisted credentials. SonicWall has confirmed that attackers are increasingly utilizing brute-force tactics to gain unauthorized access. The firm has urged its clients to adopt critical security measures, including enabling Botnet Filtering to counteract known malicious actors and enforcing Account Lockout policies to mitigate the risks associated with credential stuffing attacks.

In its advisory, SonicWall characterized certain configurations within the LDAP SSL VPN Default User Groups as particularly vulnerable if not properly managed. This misconfiguration could serve as an entry point for cybercriminals, further exacerbating the potential for unauthorized access.

The Akira ransomware group, which is believed to be based in a region known for its cybercrime activities, continues to leverage these vulnerabilities to infiltrate enterprises, posing a considerable threat to organizations that rely on SonicWall technologies. The group employs a variety of techniques outlined in the MITRE ATT&CK framework. Initial access techniques, such as brute-force credential guessing and exploiting known vulnerabilities, are paramount in their operational strategy, further underscoring the importance of stringent security measures.

To prevent such attacks, businesses utilizing SonicWall appliances are encouraged to routinely audit their configurations, particularly the setup of VPN services and user accounts. By doing so, organizations can fortify their defenses and reduce their exposure to emerging threats.

As the cyber landscape evolves, it is essential for business owners to remain vigilant and informed about the latest security vulnerabilities and attack vectors. Adopting proactive measures and understanding the tactics employed by adversaries like the Akira group is key to safeguarding sensitive data and maintaining operational integrity.

The ongoing situation serves as a critical reminder of the vulnerabilities that can exist within commonly used technologies and the importance of ongoing risk assessment and management in today’s digital environment. Organizations should take immediate steps to bolster their cybersecurity postures, ensuring they remain resilient against potential ransomware threats.

Source link

Related Posts

Senator Wyden Calls for FTC Investigation into Microsoft Over Ransomware-Related Cybersecurity Failures

U.S. Senator Ron Wyden is urging the Federal Trade Commission (FTC) to investigate Microsoft for what he describes as “gross cybersecurity negligence” that has facilitated ransomware attacks on critical U.S. infrastructure, particularly targeting healthcare networks. In a detailed four-page letter to FTC Chairman Andrew Ferguson, Wyden warned that Microsoft’s lax cybersecurity practices, combined with its near-monopoly in the enterprise operating system market, create a significant national security risk, making further attacks likely. He likened Microsoft’s behavior to that of “an arsonist selling firefighting services to their victims.” This request follows new revelations from the healthcare provider Ascension, which experienced a devastating ransomware attack last year, compromising personal and medical data of nearly 5.6 million individuals.

Security Flaw in Cursor AI Code Editor Allows Covert Code Execution through Malicious Repositories

Sep 12, 2025
AI Security / Vulnerability

A newly identified security vulnerability in the AI-driven code editor, Cursor, may lead to unauthorized code execution when users open compromised repositories. The issue arises from the default disabling of an essential security feature, which permits attackers to execute arbitrary code on a user’s system with their privileges. According to an analysis by Oasis Security, “Cursor ships with Workspace Trust disabled by default, so VS Code-style tasks configured with runOptions.runOn: ‘folderOpen’ auto-execute the moment a developer browses a project. A malicious .vscode/tasks.json sneaks a casual ‘open folder’ into silent code execution within the user’s context.” Cursor, an AI-enhanced adaptation of Visual Studio Code, includes the Workspace Trust feature designed to help developers navigate and edit code safely, regardless of its origin or authorship.

Urgent Warning: CVE-2025-5086 in DELMIA Apriso Actively Exploited, CISA Alerts Public

September 12, 2025
Vulnerability / Cybersecurity Threat

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has identified a critical security vulnerability in Dassault Systèmes’ DELMIA Apriso Manufacturing Operations Management (MOM) software. This flaw, known as CVE-2025-5086, has been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog due to evidence of active exploitation. With a CVSS score of 9.0 out of 10.0, the issue affects versions from Release 2020 to Release 2025.

According to Dassault, the vulnerability involves the deserialization of untrusted data, potentially allowing for remote code execution. The alert follows reports from the SANS Internet Storm Center regarding exploitation attempts traced to an IP address in Mexico. Attackers are reportedly sending HTTP requests to the “/apriso/WebServices/FlexNetOperationsService.sv…” endpoint.